UNITED24 - Make a charitable donation in support of Ukraine!

Intelligence


Advanced Persistent Threat

An Advanced Persistent Threat is an adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception), to generate opportunities to achieve its objectives which are typically to establish and extend its presence within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.

The Cybersecurity and Infrastructure Security Agency (CISA), Office of the Director of National Intelligence (ODNI), National Security Agency (NSA) and others have emphasized that APTs are conducted by highly sophisticated actors, who are patient, and by the very nature of APT, persistence is their key goal. What this means is defenders require very high skill levels with knowledge and experience in detecting and eradicating APT actors from Federal government systems.

APT groups are widely classified as organizations that lead attacks on a country’s information assets of national security or strategic economic importance through either cyber espionage or cyber sabotage. They are more elusive, sophisticated, and effective at what they do than traditional hackers. Threat actors who lead APT attacks tend to be motivated and committed. They have a goal in mind and are organized, capable, and intent on carrying out that goal. Some of these threat actors exist under a larger organization, like a nation-state or corporation. These groups are engaged in espionage with the sole purpose of gathering intelligence or undermining the target’s capabilities.

In general, APTs target higher-value targets like other nation-states or rival corporations. Two telling characteristics of an APT attack are an extended period, and consistent attempts at concealment. Nation-state adversaries pose an elevated threat to US national security. These adversaries are known for their advanced persistent threat (APT) activity:

  • The Chinese government—officially known as the People’s Republic of China (PRC)—engages in malicious cyber activities to pursue its national interests including infiltrating critical infrastructure networks.

  • The Russian government—officially known as the Russian Federation—engages engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries.

  • The North Korean government—officially known as the Democratic People’s Republic of Korea (DPRK)—employs malicious cyber activity to collect intelligence, conduct attacks, and generate revenue.

  • The Iranian government—officially known as the Islamic Republic of Iran—has exercised its increasingly sophisticated cyber capabilities to suppress certain social and political activity, and to harm regional and international adversaries.

An APT can last for many months and can-do untold damage to an enterprise in stolen data and trade secrets. Advanced Persistent Threat Lifecycle As APTs grew in number, they also evolved and matured. APTs take advantage of multiple attack points in systems and networks and hijacking users’ credentials at a low and slow pace to remain inconspicuous and undetected. Consequently, the lifecycle of an APT is much longer and more complex than other kinds of attacks.

In 2010, the Google Aurora attack forever changed the way organizations look at internet security. This large-scale, sophisticated attack demonstrated to all sectors, from public to private, that they are vulnerable to a new class of security breach, the Advanced Persistent Threat (APT). Once limited to opportunistic criminals, cyber-attacks are becoming a key weapon of state sponsored entities seeking to exert increased influence, defend national sovereignty and project national power. More recently, the SolarWinds compromise brought to light the enormous third-party vendor risk to one’s supply chain. This compromise, and others like it, has demonstrated that APTs leverage highly sophisticated Tactics, Techniques, and Procedures (TTPs), which can only be successfully countered by a well-trained, proven organization; an organization equipped with specialized knowledge and skill to identify, protect, and detect APTs comprehensively and to adequately respond and recover.

APT actors are well-resourced and engage in sophisticated malicious cyber activity that is targeted and aimed at prolonged network/system intrusion. APT objectives could include espionage, data theft, and network/system disruption or destruction. Organizations within the cybersecurity community conducting APT research assign names/numbers to APTs upon discovery. Because more than one organization engages in APT research, and there may be overlaps among APTs, there can be multiple names for a single APT. There is no ultimate arbiter of APT naming conventions. For examples of APT listings, see MITRE ATT&CK’s® Groups, Mandiant’s APT Groups, and Microsoft’s Threat Actor Naming Taxonomy.

Although CISA uses the APT names that the cybersecurity community most prevalently uses, any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Despite the stealthy nature of APT attacks, there are preventative measures organizations can take to protect themselves against the loss of critical information. One of the most important steps in protecting against APTs is to have layered cybersecurity protections in place. This will not only help to prevent APTs, but will also ensure that an organization’s most sensitive data would remain protected if an APT attack were to happen.



NEWSLETTER
Join the GlobalSecurity.org mailing list